Re: Custom naming convention for exported files


public IServiceProcessor getServiceProcessor() {

IServiceProcessor sp =null;


sp = createServiceProcessor();

if ((sp instanceof ExportProcessor)) {

ExportProcessor proc = (ExportProcessor)sp;

if ((getAssemblyObjectId() != null) && (!isIgnoreDescendents())

&& (getDownloadDescendantsSelection()) && (isObjectVirtualDoc())) {




} else if (!isIgnoreDescendents()) {



String objId = getObjectId();

IDfId objectId = new DfId(objId);

IDfSysObject sysObj = (IDfSysObject) getDfSession().getObject(objectId);

String bookID = sysObj.getString(“book_id”);

String bookName = sysObj.getString(“book_name”);

String objectName = bookID + “_” + bookName;










}catch(DfException e) {



return sp;



unityのLocal LUN Moveに関して



unityの用途:Block 仮想基盤のストレージ


仮想サーバー:IAServer2台 1台あたり4VM稼働予定


ServerとFCスイッチは8GのFC接続 クロス接続



その場合、unityのみの機能で実現可能でしょうか?想定している機能はLocal LUN MOVEを想定している様です。



Breach Response: Mitigating an Outbreak

EMC logo

By Azeem Aleem, Gareth Pritchard and David Gray, RSA Advanced Cyber Defense

It’s mid-2017 and the news is alight with yet another alarming cybersecurity attack. A new strain of a malware variant, which on first analysis looks very similar to a previously reported malware strain called “Petya” (ransomware armed with the EternalBlue exploit amongst other methods including MS17-010, PSEXEC and auth-reuse to achieve lateral movement). EternalBlue is an exploit leaked by a team of hackers known as the ‘shadow brokers’.

This latest attack is not unlike the previously reported WannaCry (also known as WanaCrypt0r 2.0), which also used the EternalBlue exploit to infect machines over the network. This latest attack is much more impactful at a technical level as this malware uses low-level encryption, in which the hard drive itself is encrypted. In this scenario, recovery efforts are more difficult and time consuming as the disks themselves will need to be formatted or replaced before the operating system is reinstalled and the files replaced.

The previous WannaCry malware used high-level encryption, in which the actual files were replaced with encrypted versions, meaning the hard drive itself was unaffected and the files could be restored from a backup with relative simplicity assuming backups were available.

In the previous WannaCry attack emergency services and public safety were severely impacted due to hospitals closing and ambulances being re-routed due to the malware outbreak.

The full extent of this latest Ransomware attack is yet to be fully realized, however, published reports are indicating a mass infection across multiple organizations, including but not limited to, the Russian Central bank and the Ukrainian International Airport.

As the investigation around “Petya/NotPetya” continues, from a security perspective this attack could have been much smaller in scope, if not avoided entirely, using a combination of security strategies and defenses. Let’s take a closer look.

At the core of breach mitigation is strategic patch management, compliance and policy enforcement. Due to organizational requirements to test patches prior to implementation on business critical systems, it is important to assign internal criticality ratings to vulnerabilities and assess the likelihood of exploitation in order to ensure high priority and immediately vulnerable systems are patched quickly, helping to prevent imminent threats from adversely impacting the organization.

Patching without due care and attention could be just as damaging as not patching at all as rolling out untested patches has crippled organizations before. Always ensure the product being patched has full support from the product vendor. In cases where out-of-band patches for end-of-life operating systems are released for a critical vulnerability, the vendor may not fully support it following the emergency patch release. In these cases the vendor should be contacted to ensure full support will be provided during and after the initial patching of the system. A back-out plan to reverse the patch implementation in case the deployed patch affects system performance/security is also required during patching and maintenance activities.

Organizations must employ a stable upgrade and maintenance cycle to help combat this age of cyber threats. Failure to patch, update and upgrade (away from unsupported operating systems) can – at the very least – irreparably damage an organization’s reputation, or – in the worst case, as seen in the recent WannaCry ransomware attack – put public safety at risk.

Patch management should include, but not be limited to, operating system upgrades. Continuing to use operating systems no longer supported by the vendor are of the utmost risk as they provide a foothold for attackers to gain access to the wider network.

Many vulnerabilities pre-exist for unsupported systems, meaning older well-known exploits and malware become more publicly available to novice hackers (commonly known as Script Kiddies) greatly extending the threat landscape.

The last line of defense in a breach mitigation strategy is the end users. Many organizations operate under the mistaken belief that it’s the end users that should be protected from threats; however, to effectively protect the network, end users are need to be trained and empowered to identify potential threats and help protecting company assets from attacks.

Phishing and social engineering attacks are extremely simple to conduct, difficult to detect at a technology level and the most likely to succeed. An attacker can fail multiple times before gaining access with one single success. That single success may be a company’s user failing to recognize an attack resulting in a breach of the network. End user education is often overlooked in network protection, but is a critical and often last line of defense. This type of awareness spills over into the lives of the employees, their children, and friends – ultimately raising public awareness. This leads to an inherent responsibility to protect ourselves against cyber threats much more effectively now and even more so in the future.

The risk mitigation strategy must be built on the following actions:

  • Regular compliance and policy audits
    • Deploy an Identity and Access Management (IAM) solution to automate and manage user access rights
    • Audit and update user access permissions

Ransomware can only affect files it has access to; typical ransomware has access to the same data as the currently logged in end user. Maintaining end user access permissions can help limit the damage a ransomware infection may cause as not all end users need access to all critical systems.

    • Monitor for non-compliant applications, software and hardware
      • Non-compliant applications, especially through shadow IT, increases the attack surface

As stated above the most effective way to reduce an organizations threat landscape is by conducting a Patch Management program.

  • Extended Patching Program
    • Standard Patching Process for Enterprise with agreed SLA’s for Critical Patches
    • Patching is extended to include patching of third party applications as well as operating systems.
    • Patching status is checked regularly via vulnerability scanners and penetration tests

Applications, software and hardware deemed not compliant according to the IT usage policy increases the attack surface of the company’s assets. Many organizations have a whitelist of applications that have been tested and are verified as safe for use within the organization. These compliant software packages should also be regularly upgraded and patched as well as monitored by the company’s security team for vulnerabilities and exploits reported by each vendor.

  • Utilize a vulnerability scanner to detect vulnerable systems and applications
    • Prioritize and mitigate vulnerabilities that cannot be patched
    • Liaise with vendors to determine mitigation strategies and temporary solutions for such un-patchable vulnerabilities.

Regular scans should be conducted using a vulnerability scanning appliance on the company’s network in order to identify applications that may be vulnerable to exploitation.

A new-found vulnerability may not always be patched immediately due to patch availability from the vendor; however, in these cases the vendor of the vulnerable application will typically be able to provide a mitigation strategy until a patch is made available.

Alternative mitigation strategies include isolating the vulnerable applications/assets from the wider network, or temporarily limiting the communication protocols available to the vulnerable assets until patching can be completed.

  • Research, test and employ advanced techniques to mitigate threat types
    • By placing a file in an area of the disk that is whitelisted and/or ignored by all applications allows a company to conduct monitoring of the file or area for changes (known as Placing trip wires, or Canary files). As this should never change, it is an early indication that a potential ransomware infection has occurred. This technique is best suited to critical systems and large file shares where the potential for false positive alerting is reduced and easily manageable.

Smaller organizations and home users can purchase internet security packages, which include solutions designed to protect against Ransomware. These packages use a similar method via preventing third party applications from accessing files selected by the user for protection.

  • Educate users on safe practice and cyber threats
    • Perform user awareness campaigns
      • Send high priority “Must Read” emails warning of phishing email attacks
    • Conduct regular table top exercises and targeted training for critical users
    • Provide additional training and awareness for critical systems’ users

Where possible, organize for the email team to remove known malicious emails from the email servers. Attackers commonly take advantage of newsworthy events to leverage trust from end users in order to make phishing campaigns more successful. Pre-warning end users of a suspected phishing attack will help raise awareness and assist the end users in detecting these attacks.

Organizations are overwhelmed with legacy technologies negatively impacting productivity and creating a false sense of security

Breach mitigation will not be completely effective in all cases as advanced attackers are well-funded, organized and capable. True zero-day vulnerabilities are previously undisclosed with the initial discovery often being made by a security researcher during (or after) incident response activities. By then it is too late. The zero day has performed its duty in breaching the targeted network for the attackers. The attacker’s goals may vary in impact and severity; from political to espionage the attacks may not differ, but the goal of selling or destroying data may have a very different impact on the victim. Monitoring for the emergence of evidence regarding what happened to the data after it was stolen may allow an organization to react swiftly to minimize damages as a result of the data leak or data destruction for financial gain. Regardless, a company can still prepare for most breach eventualities.

When developing threat detection, protection and prevention use cases, it’s useful to create a threat scenario. For example, a scenario on the impact and capability of a ransomware infection would highlight areas where attention is required for response and recovery actions.

Ransomware Threat scenario
An end user receives a phishing email and clicks a link that takes the end user to an untrusted website. The link downloads and infects the target with ransomware. The ransomware scans the target hard drive, in addition to any accessible network shares, encrypting specific file types. Once encrypted a popup screen displays demanding payment to unlock the system. Failure to pay results in the deletion of the decryption key, offering no method to restore the affected files.

This threat scenario highlights several potential issues, which may be prevented or prepared for prior to the realization of the threat. Typical ransomware infections scan network shared folders attached to the target asset, spreading themselves to connected shares using worm capabilities before encrypting any data or showing signs of infection on the original compromised asset.

Mitigation advice for ransomware often includes regular data backups to an offsite facility. As is the case for hardware failures and natural disasters, these backups do not include the latest available data. Ransomware attacks are more prevalent and likely to occur than total redundant hardware failures or natural disaster, thus requiring more in-depth analysis. Of course, backups are still necessary and provide some assurance of returning to business.

Payment, generally considered an invite to further ransomware and other potential attacks from threat actors, does not guarantee full resolution of the situation. The potential for future re-encryption, or decryption failure, makes paying the ransom a business decision. This decision should be made after conducting a risk assessment comparing the cost of temporary data loss, impact of downtime and the consequences of permanent data loss. To prepare for this scenario, stakeholders must be briefed, and ready to make a business decision. Third-party incident response groups are typically brought in during these situations.

Preparation allows these third-party incident response teams to act swiftly, quickly disrupting the attack, effectively minimizing impact and restoring service with minimal disruption.

The Mitigation strategy must be built on the following actions:

  • Breach response exercises
    • Key stakeholders should be included in table-top exercises on virtual breach incidents
      • While there is no substitute for real-world experience the exercise can be made to “feel real” with time sensitive activities scored against the clock and reviewed during the lessons learned phase at the conclusion of the exercise.
    • The best analysts in the world have handled many different incidents, gaining invaluable experience that cannot be taught. A breach response exercise provides a team the opportunity to experience an advanced attack without the risk.
    • Simulating real-world technical breaches test and prepare the company’s security operations center (SOC).

Running breach exercises allows a company to develop new complex attack scenarios and challenge a company’s team to conduct more advanced exercises to better prepare your organization.

  • Develop a ‘moat & drawbridge’ isolation response
    • In emergency situations, isolation for the protection of the wider network is critical
        • Ensure all network partitions are mapped and capable of isolation in emergency situations.
    • Critical networks should be isolated first; what constitutes a critical network may depend on the threat. Develop a matrix to determine the priority of network partitions during a breach.

Breaches will occur. It’s simply not possible to prevent every attack from resulting in a breach. Even the most tech savvy and conscientious employees can fall victim to an advanced spear phishing attack. The most current and robust technology can potentially be exploited via a zero-day vulnerability from an incentivised attacker.

However, with careful and guided preparation and prevention, a company is more than half way to mitigating a breach before it occurs. The final step, response, must be swift, decisive and exacting.

Having the ability to monitor the attack, and pull up the draw bridge (when deemed necessary) in seconds not hours, may aid in better understanding the attacker’s end goal. This can be useful for intelligence purposes, possibly identify the attacker’s potential exfiltration point, or uncover additional compromised assets in use (or potentially used to regain entry once you’ve remediated and recovered from the attack).

  • Strategic monitoring
    • Following a breach, strategic monitoring is the act of watching the threat actors conduct operations on the network with a view to understanding their capabilities, goals and tactics. Although risky, in some circumstances this tactic can be extremely useful in combating a persistent threat actor. This strategy should not be attempted without expert advice from a team of security professionals who are trained and capable of performing a breach response exercise such as this or outsourced to a third party incident response team.

Responses must be tailored to the threat. The response for a breach attempting to exfiltrate sensitive data cannot be the same as a response for a ransomware attack. When developing attack scenarios, use cases should be coupled with Incident Response Procedures (IRP) tailored to the threat type. These procedures must be reviewed, analyzed and updated at the end of every related incident to ensure they are kept up-to-date, amended to resolve any issues encountered with the procedure and maintained with the applicable advancing analyst and technology capabilities. All other areas of the IRP should be targeted against the specific threat.

Attack vectors and TTPs are used to build Attack Scenarios, which are used to identify threat indicators. Threat indicators are mapped against data sources to identify exploitable Detection Logic. Detection Logic is mapped against IRP’s.

Example of Threat Scenarios

Example of Commonality across IRP’s identified

Example of internet access to internet without proxy IRPs

Response procedures should include steps for incident Triage, Investigation, Containment, Eradication and Recovery. Incident closure only occurs following a full debrief; this may be weeks or months following a breach. There are no prizes for closing a breach incident quickly as it is akin to a project. Forensic/malware analysis must be conducted and post-breach monitoring use cases implemented. These use cases must have an increased priority response to decrease response times in the event the attackers resurface or were not successfully removed from the network during the initial breach remediation (it is not uncommon for advance attackers to leave behind multiple backdoors). Do not underestimate advanced attackers when they use seemingly basic-attack methodology. Just as you would not use a precision laser to cut a loaf of bread, an advanced attacker would not use a zero-day vulnerability against a target vulnerable to well-known exploit code.

The Response strategy must be built on the following actions:

  • Identify the immediate impact and apparent goal of the breach
    • Determine which response procedure is best to mitigate the attack; decide whether to monitor or disrupt the attack.
  • Collect evidence and forensically analyze the breach
    • Multiple incidents occur on a daily basis, but a breach should not be a regular occurrence. Understanding the mechanics and strategy behind the breach can help to prepare and, ultimately, respond quickly and efficiently to future breach attempts. The goal of this strategy is to build up to an advanced SOC (ASOC) with the ability to disrupt advanced attacks before the threat actor reaches their goal.
  • Conduct a debrief
    • Use this portion of the response procedure to identify weak points in technology, training and capabilities. When producing the final breach report for the executives include a detailed roadmap of why it happened, how to prevent it happening again, and the estimated cost of being capable of disrupting future breaches allows the business to work alongside the security team to develop a Business-Driven Security™ solution.

These strategies are only a small part of the overall security program an organization needs to maintain safe operations with minimal impact to the assets which keep the business running. Each strategy can be diversely expanded, reduced or combined according to business and security requirements. Leaving out any of these strategies negatively impacts the business and increases overall risk.

It’s incumbent on all of us to develop a threat mitigation strategy.

The post Breach Response: Mitigating an Outbreak appeared first on Speaking of Security – The RSA Blog.

Update your feed preferences





submit to reddit


Detecting “Petya/NotPetya” with RSA NetWitness® Endpoint and RSA NetWitness® Packets

EMC logo

By Alex Cox, Christopher Elisan and Erik Heuser, RSA Research

A Ransomware variant known as “Petya/NotPetya” began making the rounds on June 27, 2017. This ransomware takes a different approach to denying access to the victim’s files. Instead of the usual displaying of a message and letting the victim browse to really see that the target files are encrypted, this ransomware locks the user out of the whole system. It does so by modifying the system’s Master Boot Record (MBR) and making the first boot sector code jump to the malicious code. This is a classic trick employed by boot-sector malware. As a result, the system is under the control of the ransomware and cannot be rebooted back to the Microsoft Windows operating system.  

After every reboot or startup, the boot sector code is passed to the malware, displaying a splash page as seen in Figure 1.


Figure 1: “Petya/NotPetya” splash page

After the victim presses a key, it displays the message as seen in Figure 2.

Figure 2: “Petya/NotPetya” Ransomware

Unlike other ransomware attacks, wherein the victim can still use the system to purchase the decryption key, the only way for a “Petya/NotPetya” victim to do this is to use another system.

Infection Vector
RSA Research traced the initial infection vectors to these primary sources: 

  • A subverted update file for a Ukrainian accounting software package that is mandated for use by the Ukrainian Government, which infects the machine that pulls the subverted file from the software company’s update site.
  • Propagation via the EternalBlue (also used in WannaCry) and EternalRomance exploits.
  • Lateral movement via credentials stolen from the target host (on like configured hosts, this would allow infection of patched hosts).

“Petya/NotPetya” Dissected
Below is a detailed analysis of “Petya/NotPetya” ransomware.

Sample Metadata
File Name:   64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1.dll

File Size: 362360 bytes

MD5:       e285b6ce047015943e685e6638bd837e

SHA1:       9717cfdc2d023812dbc84a941674eb23a2a8ef06

PE Time:   0x5945EFBD [Sun Jun 18 03:13:01 2017 UTC]

Sections (5):

Name       Entropy    MD5

.text          6.55          ac2bb78f4833ba7912cc59cf212ccbe5

.rdata      6.99          dd0dc0f90617202ff84c3bfe64150483

.data       5.43           5216f0c62d1fd41b1d558e129e18d0fe

.rsrc        8.0            f07e68575f50a62382d99e182baa05d5

.reloc     4.77           facab7a1f0a7f93668b076a8c88dbb8f

“Petya/NotPetya” uses a single ordinal to begin execution and, as engineered, is tracked by RSA NetWitness® Endpoint. It immediately opens the disk and overwrites the MBR and the NTFS boot record (discussed below). It then schedules a task to shut down and reboot the computer exactly one hour after the malware first launched. There are no persistence mechanisms other than the MBR and NTFS boot record.

Figure 3 “Petya/NotPetya” Execution Process

RSA NetWitness Endpoint is also designed to discover floating DLL’s roughly the same size as the original DLL allocated inside the RunDLL32.exe’s address space and four suspicious threads. RSA NetWitness Endpoint is built to tag these as suspicious due to the allocated segments of memory having the execute bit turned on and not part of the regular code segments mapped into memory by the Windows loader. In fact, instead of shellcode, an entire DLL has been mapped and run.

Figure 4 Floating DLL with Suspicious Threads

By digging into the binary itself, we find code appearing to ask the discovered DHCP server, as well as the IP address information on the DHCP address range.

Figure 5 Enumeration of DHCP address space

This is detected in RSA NetWitness Endpoint and RSA NetWitness® Packet suite in several ways. RSA NetWitness Packet is designed to identify this as a rogue DHCP server given this behavior is uncommon for a client application.

Figure 6 Rogue DHCP Server

Figure 7 Malware Sending Request Parameter List Option

RSA NetWitness Endpoint is engineered to identify this through the SMB/RPC connections to all the machine IPs available in the DHCP servers’ configured range.

Figure 8 Network Tracking Data for NEW

RSA NetWitness Endpoint is also built to pull the MBR and the NTFS boot record to see the changes this malware has made. The MBR appears to be destroyed, the code areas, partition tables, boot signatures and other portions of the modern MBR are replaced with the Figure 9.

Figure 9 OverWritten MBR

This is an ongoing investigation, and more will be posted as we continue our research.


Learn more about RSA NetWitness Suite capabilities here, and how to mitigate outbreaks here.

The post Detecting “Petya/NotPetya” with RSA NetWitness® Endpoint and RSA NetWitness® Packets appeared first on Speaking of Security – The RSA Blog.

Update your feed preferences





submit to reddit


Alienware 15 Now Shipping with Max-Q Technology

EMC logo

Half Christmas is here and we’ve got a present for you.

Ok, technically Half Christmas was June 25, but today, June 27, our Alienware 15 laptop with NVIDIA GeForce GTX 1080 with Max-Q design became available for purchase in the U.S. for $2,499.

Alienware 15 laptop notebook front view

Alienware’s adoption of Max-Q technology provides the highest performance possible in a 15.6” notebook, while lowering the power consumption to 110 watts, and continuing our tradition of designing outstanding products tailored specifically for gamers.

While Max-Q design is engineered for a thin gaming laptop, our design team’s focus on what our customers want means we didn’t change the basic form factor of the Alienware 15 for Max-Q.

“We’ll go as thin as we feel comfortable,” Director of PC Product Planning Joe Olmsted told CNET recently. “We weigh those tradeoffs a lot, and gamers would prefer a good full deep-dished keyboard.”

So we will continue to provide uncompromised gaming experience with a premium keyboard and thermals on Alienware 15 that allows for higher wattage and greater performance. Just what sort of performance are we talking? Here are the results of our testing:

performance chart for Alienware 15 with 1080 MQ

Alienware 15 notebooks with Max-Q technology will offer the highest total graphics power (TGP) available (110W) while continuing to offer outstanding features that gamers appreciate including:

  • The Alienware TactX RGB keyboard with 2.2mm of travel, steel back plate for rigidity and true n-key rollover.
  • Full AlienFX lighting for deeper game immersion.
  • An industry-leading 99WHr battery for full-gaming power away from your AC adapter.
  • Full complement of I/O for the most popular gaming devices including multiple USB 3.1 ports, HDMI, mDP, Gigabit Ethernet, and two audio ports.
  • The ability to upgrade and add new components like memory and storage with two SODIMMS and one HDD and three SSD slots
  • Dynamic CPU overclocking to insure you get as much performance as possible every second.
  • High-quality webcam supporting Windows Hello facial recognition with dual-array microphones for streaming, Skyping, or just talking with your teammates when you leave your headset at home.
  • Outstanding display quality designed specifically for gaming including G-sync, wide viewing angles, 120Hz refresh, brilliant colors, and high luminance.
  • A touchpad you can actually use with tactile buttons in a convenient location for both lefties and righties.
  • Programmable macro keys that allow you to reduce a series of repetitive keystrokes to a single click.
  • Great acoustics: “the cooling fans are nearly silent while the speakers pack a really nice punch” notes Linus Tech Tips. (below)

Linus Sebastian of Linus Tech Tips hugging an Alienware 15 laptop

So if you’re ready for new performance never before possible in Alienware 15. Future graphics, memory and storage upgradability are important to you. And, you would like a laptop design that insures your fingertips won’t burn as your game heats up.

Then Merry Half Christmas to you!


Update your feed preferences





submit to reddit


Gen 6: Data Drive Location, Identification, and Replacement

The last couple of articles generated several questions around the location, identification and management of hard drives in the new Gen 6 platform.

As a quick recap, each Gen 6 chassis comprises four nodes, each of which contain a compute node module and a set of 5 drive sleds that all plug into the chassis midplane. The chassis design focuses on a modular architecture help to maximize density, simplify serviceability and for avoid single points of failure by a mantra of redundancy everywhere.

The compute module houses all of the node hardware components with the exception of the data drives. These include a single processor, RAM, SAS controller, SAS Expander, battery backup, vault drive, up to two SSD drives, front-end ethernet NIC, and a back-end network card.

The four nodes within each chassis are grouped into compute node pairs. Each pair shares power from their power supplies – one power supply per compute node. These compute node pairs use Intel’s Non-Transparent Bridge (NTB) technology to enable high speed connectivity between nodes via the PCI interface. The Non-Transparent Bridge connection between nodes is used to mirror the OneFS journal to the partner node, and vice versa.

The Gen 6 data drives are mounted in drive sleds, up to five sleds per node.


There are three different sled types found in the Gen 6 platform, depending on the chassis type. For 3.5 inch SATA drives, there is either a three drive ‘short sled’ (most prevalent), or a four drive ‘long sled’ (used in the A2000). The drives in these are placed longitudinally.


For 2.5 inch SAS drives, there’s a short sled which houses up to six drives, lying transverse in the tray (used in the F800 and H600).


The Gen6 chassis deploys a bay-grid numbering system. As such, the nodes are numbered 1 through 4 from left to right, looking at the front of each chassis where the drive sleds are housed. Each node’s five drive sled are arranged vertically and referenced as A through E from top to bottom. For example, in the following diagram, sled E from node 1 is shown as removed:


Within each sled, the drives are numbered from sequentially from front to back of the tray. The drive closest to the front is always number 0, whereas the drive closest to the back is either 2, 3 or 5, according to the drive sled type.

For example, consider an H500 chassis with the following data drive specs:

  • Drive Type: 3.5” SAS/SATA
  • Sleds per Node: 5
  • Drives per Sled: 3
  • Total Drive Count: 60
  • Drive Capacity: 4TB

Here’s an image of the drive and sled arrangement in node 1 of this H500:


The drive at the back of the bottom sled in the left most stack of sleds would be node 1, sled E, drive 2 – or 1E2.

The location of a drive bay can be seen by viewing the drives in a node via ‘isi devices drive list’:


This is in contrast with previous versions of Isilon nodes, where ‘location’ is a single digit, since there’s no concept of a drive sled.


Similarly, consider an H600 with the following data drive makeup:

  • Drive Type: 2.5” SAS
  • Sleds per Node: 5
  • Drives per Sled: 6
  • Total Drive Count: 120
  • Capacity: 600GB

The drive highlighted in red would be node 1, sled C, drive 3 – or node 1C3.

The front left of each drive sled presents a display panel. This panel contains 3 LEDs and a push button.


The top ‘blue’ LED indicates power and drive activity for the sled. Under this is a yellow warning LED that reports a sled fault. Below this is a white ‘not safe to remove’ LED.


When illuminated, this ‘white hand’ LED indicates drive activity. Do NOT remove any sled from the chassis until its white LED is extinguished, as doing so may cause data loss.

Each chassis is also equipped with a front panel display. This front panel display is hinged, so it can swing clear of the drive sleds behind it. It’s attached to the midplane by a ribbon cable that runs down the length of the chassis.


The front panel display contains an LCD display panel which provides status on the cluster alerts, etc. There are also four numbered power/fault indicator buttons, one for each node. These will be green for normal operation, but will show amber if there is a fault on that node. Additionally, there is a five-button illuminated touch keypad for controlling the display panel functionality.


Under normal operating conditions the blue power LED and while ‘hand’ LED will be illuminated. However, if a drive faults or fails for any reason (or if a cluster admin issues a proactive drive smartfail), ,in addition to amber warning lights and LCD notifications for the particular node affected, OneFS will illuminate the amber fault light on the appropriate sled’s display panel.

Each drive bay in a sled also has amber fault indicator LEDs (in addition to slot labeling) to make it easy to identify the appropriate drive for servicing:



To procedure to replace a failed drive is a follows:

  1. When a drive is faulted and ready for replacement, OneFS will illuminate the Front Panel Fault LED associated with that node, the Drive Sled Fault LED, and the Fault LED associated with that drive.
  2. Identify the front panel display with the Fault LED on, remove its bezel and then locate the drive sled with the fault LED illuminated.
  3. Push the ‘request for service’ button on the sled display panel to notify OneFS that the sled is about to be removed.
  4. The white hand ‘not safe to remove’ LED will immediately blink to acknowledge the button press.
  5. OneFS then prepares itself for losing up to 6 working drives (on 2.5” sled) and, when ready, the white hand LED is switched off.
  6. When the white hand LED has turned off, it is now safe to pull the sled.
  7. Insert the new drive into the empty slot in the sled.

As we will see in the next article, OneFS 8.1 introduces the Automatic Replacement Recognition feature for simplified drive replacement.